Monday, October 25, 2021

Use of scareware increasing to trick staff working from home: Report

Tech support scams using pop-up messages with fake warnings of computer problems are increasingly being used to take advantage of employees working from home, according to customer data gathered by Fortinet.

Malvertising and scareware were detected by one in four organizations running Fortinet devices in the first half of the year, the company said Monday in its semi-annual global threat landscape report. It was a figure that surprised some in the company.

“That’s a pretty high number,” Derek Manky, Vancouver-based chief of security insights and global threat alliances at FortiGuard Labs, said in an interview. “This is something we haven’t seen for about 10 years.”

“These are web-borne threats now targeting the work-from-home environment. But they’re very much trying to double down, instead of just doing social engineering through social media campaigns, by using websites that are impersonating tech support departments.”

One of the most popular malware families recently seen, says the report, is dubbed Cryxos. These are trojans that display messages saying a user’s computer or web browser has been blocked by a virus and personal data is being stolen. The message tells the user to phone a number to help remove the infection. A threat actor may prepare for the attack by infecting a legitimate or malicious web page so the popup appears when anyone goes to the page.

Other tactics include phishing email messages with COVID-19 related attachments that either inject code into a victim’s computer or direct them to malicious sites. “Such techniques have risen in popularity of late as a way to exploit peoples’ craving for news/information during the COVID-19 pandemic and the concurrent transition to working from home outside corporate web filters,” the report says.

Other patterns detected in the first half of the year included

– the well-documented increasing rise of ransomware. The average weekly ransomware activity in June was more than 10 times higher than levels from one year ago.

The report also notes some ransomware operators shifted their strategy away from email-initiated payloads to focusing on gaining and selling initial access into corporate networks. That, the report says, is part of the continuing evolution of ransomware-as-a-service (RaaS) fueling cybercrime;

–botnets continue to be a threat. At the beginning of the year, 35 per cent of Fortinet customers detected botnet activity of one sort or another; six months later it was 51 per cent.

A large bump in TrickBot activity was responsible for the overall spike in botnet activity during June, the report notes. Partly crippled by attacks last fall, TrickBot has shown a resurgence, moving from a banking trojan into what the report says is a “sophisticated and multi-stage toolkit supporting a range of illicit activities.” The Mirai botnet is still the most prevalent;

–operational technology (OT) networks are increasingly being targeted. While IT-related exploits are clearly more numerous and exhibit greater prevalence and volume, the report says the “relatively high level of exploitation targeting OT may surprise many. Figures Fortinet gathered “shatters the perception that ICS (industrial control system) exploits are an obscure niche of the cyber threat landscape.”

–it’s not all bad news. Several events in 2021 show positive developments specifically for defenders, says the report. The original developer of TrickBot was arraigned on multiple charges in June. Also, the co-ordinated takedown of Emotet, described by the report as “one of the most prolific malware operations in recent history,” as well as actions to disrupt the Egregor, NetWalker, and Cl0p ransomware operations were significant.

The level of attention that some attacks garnered spooked a few ransomware operators (Ryuk, Darkside) to announce they were ceasing operations, the report adds.

In the interview Manky emphasized there are a lot of relatively simple ways CISOs can reduce risk in their organizations, including using intrusion prevention software, and watching for evidence of evasion of anti-virus and other defences, and evidence of unexpected privilege escalation.

“It’s all about making it more expensive for cyber criminals,” he said.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News